On Tue, Jul 29, 2014 at 12:21 AM, Hajime Morrita morr...@google.com wrote:
I think following XHR behavior makes sense because it is well understood as
it's been there for a long time and both imports and XHR load documents.
I guess. It's also really weird.
--
http://annevankesteren.nl/
I encountered a pre-release site that uses credentials to protect it from
public.
Imports in that site failed to load because the UA didn't send credentials.
The current behavior solved this problem.
There are a couple of options that I didn't take:
- Always send credentials: We clearly
On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita morr...@google.com wrote:
It behaved like that before. I changed it to current one so that it works
with credential-protected in-house or staged apps.
You'll need to elaborate a bit, I'm not sure I understand. In any
event, I think
It behaved like that before. I changed it to current one so that it works
with credential-protected in-house or staged apps.
On Wed, Jul 16, 2014 at 10:58 PM, Hajime Morrita morr...@google.com wrote:
https://github.com/w3c/webcomponents/commit/90da4809a207916486bc7af83a568f3762e780a0
Does this really make sense though?
We want to include credentials for same-origin fetches, but not
cross-origin? Why not always
That's right. Thanks for the catch!
Fixed:
https://github.com/w3c/webcomponents/commit/90da4809a207916486bc7af83a568f3762e780a0
On Tue, Jul 15, 2014 at 10:00 AM, Boris Zbarsky bzbar...@mit.edu wrote:
In http://w3c.github.io/webcomponents/spec/imports/#fetching-import the
spec says:
Fetch
In http://w3c.github.io/webcomponents/spec/imports/#fetching-import the
spec says:
Fetch a resource from LOCATION with request's origin set to the
origin of the master document, the mode to CORS and the omit
credentials mode to CORS.
There is no omit credentials mode in the current Fetch